opinion I’ve had an interesting and robust conversation online in the last day regarding how Australian councils and governments are using overseas services like SurveyMonkey to collect information from citizens and residents.

It’s no secret that SurveyMonkey in particular is widely used, with other tools like SurveyGizmo and Wufoo also used by many Australian councils and governments to collect personal information from citizens in consultations. I think these are great tools – well-made and cost-effective. In the past, I have also encouraged and supported their use.

However every council and agency using them needs to be very careful in doing so.

Many of these tools are owned by US companies, which makes them subject to the Patriot Act and Foreign Intelligence Surveillance Act (FISA). The Patriot Act, passed in 2001, was designed to fight terrorism in the US and strengthened FISA, originally passed in 1978 , to make it legal for certain US agencies to request data from US companies pertaining to non-US citizens, while prohibiting the company from revealing that the data has been taken.

What this means in practice is that any data collected by an Australian government or council in a US owned services such as SurveyMonkey may be provided to the US government, without informing or requiring the permission of the Australian jurisdiction or the individuals whose personal data is taken.

Whether or not the US government exercises its rights under the Patriot Act and FISA, any Australian government using US-owned online services (regardless of where in the world they are hosted), cannot legally make the guarantees they are required to make under the Australian Privacy Act to control how any personal information they collect on citizens and residents is distributed or used and to only use the data for the purpose for which it was collected.

This poses a major challenge to Australian councils and agencies as they are open to being found in breach of the revised Privacy Act, which now includes million dollar fines for governments that do not comply with it.

I recommend reading the new Australian Privacy Principles (APPs), as provided by the Office of the Australian Information Commissioner, to get an overview of the impact of the privacy changes, in particular APP 1 (which requires actual privacy documentation from entities), APP 2 and APP 8.

APP 2 outlines the requirement to support anonymous and pseudonymous responses to consultations – meaning that any service or approach (including RSVPs to a physical event) that requires a user’s real name may no longer be legally able to be the only channel for consultation responses.

APP 8 is particularly worth reading for how organisations that collect personal data are allowed to share it across jurisdictions. I’ll let people read it for themselves and source their own legal interpretation, as it places a large legal question mark over the use of US-owned services due to the Patriot Act and FISA.

Any council using US-owned online engagement tools must decide whether convenience and saving a few dollars is worth the risk – knowing that they are breaking Australian law.

Of course this shouldn’t stop councils or agencies from using online engagement services. Provided an online engagement service meets the requirements of the Privacy Act it is fine for an Australian government to use them. This covers data collection services from companies domiciled in nations which do not have an equivalent to the Patriot Act and FISA – such as the UK, New Zealand and Canada, amongst others.

It also doesn’t exclude the use of US-owned services such as Facebook, LinkedIn and Twitter where citizens have directly chosen to sign-up to the service based on its terms of service. The presumption is that citizens will do due diligence and make their own risk assessment regarding whether they are happy to comply with US laws. Where governments have a presence, they are not the direct intermediary for citizens using the service and therefore only need to be mindful of the privacy ramifications of information published on the council or agency’s own account pages.

It may also be possible to mitigate legal risks around tools like SurveyMonkey through excluding all personal questions in surveys – although this could be more difficult to defend in some cases as the IP address and other metadata automatically collected by these services may be sufficient to built a connection and identify a respondent.

Or government agency or council could require all respondents to agree explicitly before engaging that they understand that the Australian jurisdiction collecting their data cannot guarantee the safety of that information due to US law – although this could seriously damage the level of actual engagement and trust.

Fortunately, however, when agencies and councils look into the use of online engagement tools they don’t need to only look at US or other overseas providers. There are local providers of online engagement tools, including the company I now lead, Delib Australia.

Local providers are required to meet all Australian laws and, for the most part, host their services locally (as Delib does), removing jurisdictional risk and potentially making them faster to use (as data doesn’t have to travel over congested international networks).

That can raise prices a little – hosting in Australia is more expensive than hosting in the US and local providers can’t access the same economies of scale or venture funding as US companies. However it doesn’t raise the price that much, when considering the benefits of local support (in Aussie timezones) and greater responsiveness to local government needs.

Speaking with my Delib hat on, as I know Delib’s prices best, councils and not-for-profits across Australia can access Delib’s combined Citizen Space and Dialogue App services for under $500 per month.

State and federal agencies, who need greater flexibility and control, won’t pay much more for Delib’s robust, well-tested, online survey and discussion tools, which were co-designed with governments for government use, and comply with Australian privacy, security and accessibility requirements. Other local providers offer a variety of other online engagement tools and should also be considered.

So when an Australian council or government agency wants to engage online its staff should think very carefully about whether they select a US-based service, or a local provider – considering whether they are willing to trade a little in cost for a great deal in legal risk, loss of control and less support. They also consider whether they wish to support Australian or US businesses, Australian jobs or US venture capitalists.

HI Simon! No, its not all I took out of the article … perhaps i forgot to add ;-) at the end.

The Patriot Act stuff, however, is a well traveled argument already … but Craig quite rightly brings us up to speed on the nuances of the new APPs. The general trend on cloud services is for them to come more local either by the global service offerings landing onshore or local service offerings popping up to replicate onshore in response to requirements to keep data more local.

“Hmmm … so … this post is really just an infomercial for Delib’s Citizen Space and Dialoge App services?”

hey Steve,

I was conscious when posting this article that it did promote the services of Craig’s company. However, as Craig is well-respected in the industry and his article raised a number of valid points, I chose to post the article anyway. I made sure the commercial link was listed right up-front in the first paragraph.

Of course, much of the material that gets posted on Delimiter is subtly promoting products or services of one form or another. That’s what the technology sector is fundamentally about — implementing products and services. Every enterprise IT case study story we do ends up helping to promote the interests of one vendor or another. That’s the problem with writing about products to start with. However, I think there’s usually very good points made regardless, which is why we soldier on ;)

Of course, Delimiter will post a response from SurveyMonkey or other companies if they want us to!

Craig’s point about buying local is perfectly valid – I want my children to have jobs.

I’m a bit wary about waving the Patriot Act flag however because this is a two edged sword in a global digital economy. If we are saying that we don’t trust US-based cloud services are we also suggesting that other countries shouldn’t trust Australian-based cloud services (given the close intelligence relationships between the two countries) or more generally that only local cloud services are trustworthy? This seems to limit cloud service export possibilities …

I think this argument leads into a deep and smelly swamp. Better to focus on selling the functional benefits of the service and the value-add of a provider that can keep data within a nominated jurisdiction – such as the country of its creation.

I’m sure that one of the big benefits of a locally-based survey/consultation offering will be the added-value of participation in collaborative networks across councils and jurisdictions … subject, of course, to APP compliance. This adds a local value beyond the narrow functionality that a global tool can provide perhaps?

Pretty simple – don’t request or capture PII (personally identifiable info) on these survey sites. Most of the info captured for simple surveys is likely to be innocuous and unlikely to be of any interest to others (are you happy with the frequency of your rubbish collection?).

I’ve trolled a few survey mokey surveys after finding them using Google. Some of my answers are hilarious IMHO. I hope that my answers were not taken seriously.

Comments are closed.

Book now available

Written by Delimiter Publisher Renai LeMay, The Frustrated State is the first in-depth book examining of how Australia’s political sector is systematically mismanaging technological change and crushing hopes that our nation will ever take its rightful place globally as a digital powerhouse and home of innovation.

Welcome! We were an energetic and engaged community of Australians who worked with or who were interested in technology -- all sorts of IT professionals, IT managers, CIOs, tech policy-makers and tech enthusiasts.